New Online Data Privacy Rules?

12 04 2012

On March 26, 2012, the Federal Trade Commission (FTC) issued its final report on online data privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers”.[1] While the FTC did not require businesses to immediately make any changes, it encouraged companies engaging in online commerce to adopt “best practices” in protecting consumer data otherwise Congress would legislate that protection.[2] The “agency suggests Congress pass something resembling the Fair Credit Reporting Act, or an update of that act. Under the FTC’s suggested legislation, people would have access to the information collected and stored about them, and, perhaps, be able to delete or edit it.”[3]

The major recommendations from the report include:

  • Design and construction of added privacy and accuracy components at every stage of the software development life cycle
  • Simplified and easy to understand mechanisms for consumers to choose what data is collected and with whom that data is shared
  • Disclosure and viewing of the consumer data already collected by online firms[4]

The report includes five main action items for the FTC to focus on:

  • Enabling consumers to eliminate the amount of data collected about them through a “Do-Not-Track” mechanism
  • Expansion of the rules to include mobile devices such as smartphones
  • Establishment of a “data broker” centralized website to define the data broker organizations and how those organizations collect and process consumer data
  • Recognition of the privacy risks associated with “large platform providers” such as browser and operating system vendors, phone companies, and social media firms such as Facebook
  • Creation of “codes of conduct” unique to each industry[5]

Analysis

With respect to the construction of privacy components, the recommendations comprehend a known fact in software development: retrofitting production software to meet a requirement is considerably more difficult and expensive than including that requirement in the design and development effort. While the privacy requirements have not been fully defined, “The final FTC Privacy Report is a must-read for virtually every company that collects or uses identifiable consumer data – online or otherwise.”[6] Individuals involved in information technology in the companies that process consumer information will need to make assumptions and modify their software accordingly regarding how user information is collected, stored, and disseminated based on the information in the FTC report.

The “simplified and easy to understand” mechanisms recommended by the FTC aren’t necessarily met by existing software. On Microsoft Explorer version 8, the user must go to the Tools menu, select Internet Options, then Privacy. On the Privacy menu there are options for “InPrivate Filtering” and Cookie Handling” as shown in Figure 1 below.

Figure 1 – Privacy Options

According to Microsoft Online Help, “InPrivate Filtering works by analyzing web content on the webpages you visit, and if it sees the same content being used on a number of websites, it will give you the option to allow or block that content. You can also choose to have InPrivate Filtering automatically block any content provider or third-party website it detects, or you can choose to turn off InPrivate Filtering.”[7] As can be seen from Figure 1, the InPrivate default settings used within GM are to:

  • Allow collection of InPrivate data
  • “Disable toolbars and extensions when InPrivate browsing starts
  • Override automatic cookie handling
  • Accept First-party Cookies
  • Allow session cookies
  • Block Third-party Cookies”[8]

The Tools option from Internet Explorer also includes “InPrivate Filtering Settings”. Those settings on my PC listed over 100 websites where the web company was “Allowed” to collect data from my workstation. There are options to “Block” this data collection, but none of the websites were blocked.[9]

To determine whether a central repository of data on me existed, I did a Google search on my name and found over 22 million sites referenced. While my name is relatively unique, the references included others with the same first and last names. To narrow the search, I selected my name at General Motors, with the results showing over 71 thousand references, including:

  • Facebook
  • Twitter
  • LinkedIn
  • White Pages
  • Blogs from CMU classes
  • A professional publication while I was a consultant
  • Sites that had collected my name from public records[10]

Note while I have accounts with Facebook, Twitter, and LinkedIn, there is no personal information on those sites and my phone number is unlisted, so individuals who do provide personal information should have considerable more data online.

Other Views

Larry Magid, who writes about the internet for Forbes and other publications, agrees: “One area where the commission did call for “targeted legislation” is to address consumers’ lack of control over how data brokers collect and use our information. The amount of information floating around about each of us is staggering. Anyone with a phone, a bank account or a “loyalty” card, such as the one I use to get fairer prices when I shop at Safeway, is giving up information every time they shop, make a call or get on an airplane … So, thank you FTC for outlining a broad approach to transparency when it comes to accessing our own data. Now it’s time for Congress to enact legislation that truly benefits consumers, not just those who profit from our information.”[11]

Google, not surprisingly, had a dissenting opinion: “What is sometimes referred to as tracking is often data collection that helps ensure the security and integrity of data, determines relevancy of served content and also helps create innovation opportunities. It is important not to let a single negatively-loaded term obscure the fact that data collection is the source for the creation of value as well as the legitimate concerns of different parties.”[12]

The FTC membership was also not unanimous in publishing the report. Commissioner J. Thomas Rosch wrote “the current state of “Do Not Track” still leaves unanswered many important questions” (which leaves IT organizations guessing regarding the complete requirements of how to implement “Do Not Track”), “opt-in” will necessarily be selected as the de facto method of consumer choice” and “although characterized as only “best practices,” the Report’s recommendations may be construed as federal requirements”.[13]

Conclusion

While the FTC report was not met with universal agreement and still leaves portions of the implementation open to interpretation, the report in my view is a welcome improvement to online activity. There is:

  • Far too much software that has been developed that doesn’t sufficiently include privacy requirements,
  • The current methods to protect privacy are vague, confusing, and difficult to implement, and
  • The amount of data being collected for even security conscious individuals is excessive.

My personal view is legitimate companies should immediately work to implement the FTC’s recommendations, and Congress should enact similar legislation to govern those companies who choose to circumvent the rules.


[1] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm

[2] Ibid

[3] FTC Issues Final Report On Online Privacy Recommendations, Marketing Land, 3/26/12, Pamela Parker http://marketingland.com/ftc-issues-final-report-on-online-privacy-recommendations-8620

[4] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm

[5] Ibid

[6] FTC Releases Final Privacy Report and Framework for Protecting Consumer Privacy, Privacy and TechComm Client Alert, Patton Boggs LLP, http://www.pattonboggs.com/files/News/f362e7db-4c27-4a5a-a444-05d620bad7f2/Presentation/NewsAttachment/b9242d77-c0ec-489a-ae9b-0872415f79a7/TechComm_Client_Alert_FTC_Privacy_Report_03_28_12_2012.pdf

[7] Windows Help and Support, InPrivate: frequently asked questions, installed on my computer

[8] Windows Internet Explorer, Internet Tools options, status on my GM computer, April 7, 2012

[9] Windows Internet Explorer, InPrivate Filtering options, status on my GM computer, April 7, 2012

[10] Google search on my name at General Motors, April 7, 2012

[11] Ibid

[12] Transparency and Choice: Protecting Consumer Privacy in an Online World, Alma Whittena, Sean Harveyb, Ian Fettec, Betsy Masielloc, Jochen Eisingerd, Jane Horvathe, http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/37350.pdf

[13] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: